The argument validation in r296956 was not enough to close all possible
overflows in sysarch(2). Submitted by: Kun Yang <kun.yang chaitin.com> Patch by: kib Security: SA-16:15
This commit is contained in:
glebius
parent
038f108fc2
commit
856adf7415
@ -608,6 +608,8 @@ amd64_set_ldt(td, uap, descs)
|
|||||||
largest_ld = uap->start + uap->num;
|
largest_ld = uap->start + uap->num;
|
||||||
if (largest_ld > max_ldt_segment)
|
if (largest_ld > max_ldt_segment)
|
||||||
largest_ld = max_ldt_segment;
|
largest_ld = max_ldt_segment;
|
||||||
|
if (largest_ld < uap->start)
|
||||||
|
return (EINVAL);
|
||||||
i = largest_ld - uap->start;
|
i = largest_ld - uap->start;
|
||||||
mtx_lock(&dt_lock);
|
mtx_lock(&dt_lock);
|
||||||
bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
|
bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
|
||||||
@ -620,7 +622,8 @@ amd64_set_ldt(td, uap, descs)
|
|||||||
/* verify range of descriptors to modify */
|
/* verify range of descriptors to modify */
|
||||||
largest_ld = uap->start + uap->num;
|
largest_ld = uap->start + uap->num;
|
||||||
if (uap->start >= max_ldt_segment ||
|
if (uap->start >= max_ldt_segment ||
|
||||||
largest_ld > max_ldt_segment)
|
largest_ld > max_ldt_segment ||
|
||||||
|
largest_ld < uap->start)
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user